-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all
I would just like to make this important point as some OpenID servers do not use form tokens at all. Any OpenID server not using some kind of one time form token is insecure. You are creating a massive hole for any hacker to exploit your users if you do not use them! If you do not know what a form token is, here is a brief simplified explanation:- A form token provides protection against forms of attacks (e.g. CSRF *), which allows a hacker to use your form in a way it wasn't intended. The idea being that a form token appears as a hidden field that can only be used once. It should be a random key, which is longer than 5 characters, and ideally mixed case alphanumeric and non-alphanumeric characters that is then hashed using MD5 or SHA1 or similar hashing method with a salt *. The form token should only be able to be used for that session and that user. * http://en.wikipedia.org/wiki/Cross-site_request_forgery * http://en.wikipedia.org/wiki/Salted_hash Another useful tip for securing OpenID servers is to use referrer checking, now you might think that this is useless because the referrer can be faked. However in javascript it is more difficult for a hacker to fake the referrer header, as headers can't be easily sent with form posts so referrer checking can actually increase the security of your server and prevent some CSRF. Cheers Gareth -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkYeCf0ACgkQrR8fg3y/m1DmLgQAiOCQPEBJHADU6geMZ9Omh0YdtgT/ 9b96oOheJZpfn7PSCzZgHOdeF80jhQjOTBTCdTHWrCqD4vAK+jjcQ9CoYlEs8BvwywRE XYf4VILbhbsIQq5uFILVI/f6twP3uUaHG2BoWF2rMVGlriwBN8BW6L7ne86/1gMnamgE UGeKV/s= =qo8l -----END PGP SIGNATURE----- -- Click here to find a massage therapy school near you. http://tagline.hushmail.com/fc/CAaCXv1JMXYkG1dKbobGJuG5U4y2tOoY/ _______________________________________________ security mailing list [EMAIL PROTECTED] http://openid.net/mailman/listinfo/security
